Critical SAP S/4HANA Vulnerability Under Attack, Patch Now

Summary

A critical code-injection vulnerability in SAP S/4HANA (CVE-2025-42957) with a 9.9 CVSS score has been confirmed under active exploitation. The flaw lets a low-privileged user inject ABAP code that can escalate to full control of the SAP system and the host operating system. SecurityBridge discovered the issue and verified in-the-wild abuse; Pathlock also reported exploitation-like activity and a surge in attempts after SAP released its August 2025 security updates. SAP customers are urged to apply the official patch immediately and adopt mitigations such as UCON to limit RFC usage and heightened log monitoring.

Key Points

CVE-2025-42957 is a critical code injection vulnerability impacting private-cloud and on-premise SAP S/4HANA instances (CVSS 9.9).
An attacker with a valid low-privilege user account can inject ABAP, elevate privileges, and gain administrative control of the SAP environment and host OS.
SecurityBridge confirmed actual exploitation in the wild; Pathlock observed suspicious activity and a spike in attempts after the patch release.
SAP released a patch in its August 2025 security updates; SecurityBridge warns the patch is relatively easy to reverse engineer, increasing urgency to patch.
Recommended defences: apply SAP’s security update immediately, implement Unified Connectivity (UCON) to restrict RFC usage, and monitor logs for suspicious RFC calls and newly created admin accounts.
The incident follows earlier spring attacks on a critical SAP NetWeaver zero-day (CVE-2025-31324), showing a pattern of targeted SAP exploitation waves.

Context and Relevance

This vulnerability strikes at core enterprise infrastructure: SAP S/4HANA is widely used for finance, supply chain and other critical business processes. Because the exploit requires only a valid user account and is low complexity to execute over the network, organisations face a high risk profile — especially where user credentials can be phished or reused. The fact that the patch can be reversed increases the window for attackers to weaponise exploits, so timely remediation and tighter RFC controls are essential. The story also fits a broader trend of repeated, rapid exploitation of disclosed SAP flaws.

Why should I read this?

Short version: if your organisation runs S/4HANA, this isn’t one to ignore. One compromised user account could let attackers take the whole system — and the patch is out now. Read this so you know what to do next: patch, lock down RFCs with UCON, and watch logs like your payroll depends on it (because it does).